apparmor denies access to vms for libvirt

We ship custom libvirt (not from Ubuntu but from Debian), which does not have apparmor rules at all:
https://review.fuel-infra.org/gitweb?p=packages/trusty/libvirt.git;a=commit;h=abedecff4bede482906227a5cedbb17cf1b8302d

They should be added to the package, ensuring the presence of this particular fix:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1298611

> We ship custom libvirt (not from Ubuntu but from Debian), which does not have apparmor rules at all:
> They should be added to the package

I think switching off apparmor (via the kerne command line) is a better option.
This way we can consume updated directly from Debian Jessie without having to rebase the apparmor support patch.

well, then the question is really this: do we need apparmor?

Such a strategy looks a bit strange. Does it make sense to use Ubuntu and then disable built-in features to support Debian packages?

I agree with Sergey on this: libvirt/apparmor pair worked correctly in 6.1 and I don't see why we should change that just for the sake of bringing a new libvirt package from Debian.

Left as is, this causes multiple issues like https://bugs.launchpad.net/fuel/+bug/1481772 as well as breaking simple things like stopping of VMs.

So, IMHO, we should either use proper apparmor profiles for Debian libvirt package or roll back to the Trusty version of libvirt.

The main purpose of having update package (not the one from Ubuntu upstream) was to introduce features not available there yet. So you should pick one of two: either stable package from Ubuntu Trusty (with less features), or more cutting-edge package from Debian.

Then, I'm afraid, we should say no to features and use the version from Trusty (unless you are going to do a back port of 'apparmor-ready' libvirt package from Ubuntu Vivid or newer).

Raised to critical due to many duplicates

Could you please test if this package fixes the problem:
http://perestroika-repo-tst.infra.mirantis.net/review/LP-1473421/mos-repos/ubuntu/7.0

Assigned to the reporter to do the test.

Alexander, I upgraded the libvirt packages from the repository you provided and now both `nova stop' and `nova delete' succeed. But it's was just a `smoke` testing, not a thorough one for sure.

libvirt packages versions: http://paste.openstack.org/show/412873/

NOTE: apparently a node reboot was required for apparmor profiles to be applied properly.

I've checked these packages on my environment briefly, everything looks ok

Reviewed: https://review.fuel-infra.org/10342
Submitter: Michael Semenov <email address hidden>
Branch: 7.0

Commit: 8594c4ab91acf3f00814426f3494e6701bdf7666
Author: Aleksandr Mogylchenko <email address hidden>
Date: Thu Aug 13 09:45:05 2015

Update libvirt-bin package to fix apparmor denials.

Patch source:
http://www.redhat.com/archives/libvir-list/2014-October/msg00011.html

Update of auto* files was required since Trusty comes with newer automake,
causing the build to fail.

Change-Id: Icf264fe6f0ccc68e6a85caab60a46f565c5ff04b
Closes-Bug: #1473421

My previous analysis was not complete: libvirt-bin package from Debian does have apparmor support, although limited (because apparmor support in Debian is limited). I've updated our package with the patch from upstream fixing this problem:
http://www.redhat.com/archives/libvir-list/2014-October/msg00011.html

According to tests the problem is gone. Patch limits our ability to receive updated from upstream Debian (because we use modified package), but in the other hand all changes are in one single patch.